Skip to content
Thoughtful, detailed coverage of everything Apple for 34 years
and the TidBITS Content Network for Apple professionals

How to Identify and Eliminate Abusive Web Notifications

Has a notification appeared on your Mac that claims your McAfee anti-virus software subscription has ended, “Your iCloud is being hacked,” or someone is trying to access your bank account? These attempts to phish you by notification are malware, plain and simple—the form known as adware. The alerts try to trick users into visiting a fake website and entering login credentials or credit card information to facilitate identity theft, just like a phishing attempt via email. Attempting to eliminate the notifications by running anti-malware apps like Malwarebytes, DetectX Swift, or VirusBarrier won’t work. What’s going on?

Sample abusive notifications

Randy Singer, who runs the MacAttorney User Group and publishes a variety of pages with helpful Mac advice, passed on this warning about abusive notifications recently. Such abuses of Web push notifications have existed for years, but I’ve never seen one on my Mac. Between Randy’s warning and reader David Roessler writing in a few days later to suggest a similar article, I decided it was time to address the topic.

Unlike regular malware, notification adware doesn’t require an infection, so anti-malware software has nothing to find or remove. Instead, notification adware exploits the capability of Web browsers to let websites display system-level notifications just like native apps. No one would intentionally sign up for adware notifications, of course, but websites can—and increasingly do—ask users if they’d like to receive notifications. There’s nothing inherently wrong with a website offering notifications. As one of many examples, the Discourse software we use for TidBITS Talk offers notifications for those who want to be notified of new messages or replies. But like many well-intentioned technologies, Web notifications can be turned to the dark side.

Part of the problem is that agreeing to receive notifications requires nothing more than pressing Return to accept the Allow option when Safari’s permission dialog appears, and websites can present their own dialogs before triggering Safari’s dialog to lull users into complacency. Once notifications have been allowed, they have the imprimatur of coming from macOS, which makes them seem all the more believable.

Notification request in Safari

Of course, if you’re paying attention and are sufficiently technically aware—as most TidBITS readers are—simply click Don’t Allow when a website asks for notification permission. That’s what I do in nearly all instances. I’ve allowed sites to present notifications in only a handful of cases.

If you’re categorically opposed to notifications or are assisting someone who may not understand what they’re agreeing to, Safari provides a simple way to ensure you’re never asked to allow notifications. Go to Safari > Settings > Websites > Notifications, and deselect “Allow websites to ask for permission to send notifications” at the bottom.

Blocking all notifications in Safari

Other Web browsers can also be subverted to show abusive notifications, and they too let you avoid being prompted at all. The interfaces vary slightly, but most will look like Google Chrome, as shown below.

  • Arc: Choose Arc > Settings > General > Notifications and select “Don’t allow sites to send notifications.”
  • Brave: Navigate to Brave > Settings > Privacy and Security > Site and Shield Settings > Notifications and select “Don’t allow sites to send notifications.”
  • Firefox: Go to Firefox > Settings > Privacy & Security > Notifications and select “Block new requests asking to allow notifications.”
  • Google Chrome: Navigate to Chrome > Settings > Privacy and Security > Site Settings > Notifications and select “Don’t allow sites to send notifications.”
  • Microsoft Edge: Choose Microsoft Edge > Settings > Cookies and Site Permissions > Notifications and turn off “Ask before sending.”

Disable notifications in Chrome

In theory, Chrome should be less susceptible to phishing notifications than Safari, potentially along with other Chrome-derived browsers (everything in the list except Firefox). In 2020, Google introduced the middle option above for “quieter messaging,” which replaces the permission dialog with a bell icon next to the site name in the address bar—click it to allow notifications. In subsequent updates in 2020, Google started identifying websites that display abusive notifications and calling them out in the permission request. I say “in theory” because Apple consultant Adam Rice told me he mostly sees spammy notifications in Chrome.

Google Chrome's quieter messaging interface

Disabling “Allow websites to ask for permission to send notifications” prevents new sites from spamming you with notifications. But what about sites that already have permission? It’s easy to block their notifications in Safari too. If you have any sites with Allow in the pop-up menu to the right of their name in the Notifications screen, just choose Deny from that menu. Firefox’s interface is similar. Don’t remove the site because—depending on other settings—that may allow it to ask again for permission.

Blocking an already approved website displaying abusive notifications in Safari

Chrome-based browsers separate the blocked and allowed sites. To block a website whose notifications you no longer want to receive, click the button to the right and choose Block.

Blocking an already approved website that's showing abusive notifications

Finally, if these notifications plague you or someone you know, consider the websites being visited. Websites that trick users into allowing notifications so they can display phishing notifications are malicious, or at least complicit in allowing their visitors to be targeted by including third-party elements that engage in this phishing. Ideally, you’d avoid them.

It may not be that easy. In 2020, security journalist Brian Krebs wrote about a service called PushWelcome that advertised the ability for website publishers to monetize their traffic. It asked publishers to include a small script that generated the often-deceptive notification requests on legitimate sites. PushWelcome appears defunct now, but other such ad networks may still exist.

I realized it’s easier to say, “Don’t visit sketchy websites,” than explain what makes a site problematic. Nevertheless, if you—or the person you’re helping—have any doubt about the legitimacy of a website or the website owner’s security capabilities (for protecting their site against subversion by hackers or being deceived by an ad network like PushWelcome), you might not want to trust it to display notifications or collect any personal information.

If you run across a site that pushes spammy notifications at you, report it to Google Safe Browsing, which warns users about problematic sites. It currently issues over 3 million warnings per week, which sounds like a lot until you see it offered over 50 million warnings per week in mid-2016.

To stay safe on the Web, browse with care and click with intention.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About How to Identify and Eliminate Abusive Web Notifications

Notable Replies

  1. Opera: Go to Opera > Preferences > Privacy and Security > Site Settings > Notifications and select “Don’t allow sites to send notifications”

    Vivaldi: Go to Vivaldi > Preferences > Privacy and Security. In the Privacy section, go to Default Permissions and select the “Block” option for “Notifications”

  2. All very useful, guys. Thanks.

  3. Screen shots for Firefox (114.0.2):

    On the Preferences → Privacy & Security page:

    Screen Shot 2023-06-27 at 09.44.07

    On its Settings page:

    I have had notifications disabled in this fashion since they were first invented. While I agree that some may find them useful, I really don’t want my web browser constantly maintaining connections to remote servers when I’m not actually visiting the corresponding site. It just smells like the potential for too many problems including:

    • Lots of wasted bandwidth
    • Lack of privacy
    • A vector for malware infections

    Plus the issues @ace mentioned in the article.

    Maybe the reality isn’t as bad as I’m afraid, but my gut says it’s too risky.

  4. “Just because I’m paranoid doesn’t mean they aren’t out to get me.”

    And if a tech wizard like you thinks it’s too risky, that just confirms what my gut told me. Thanks.

  5. Thanks for the heads-up. I just tracked down this setting in Firefox and shut down notifications. It looked like only two sites had asked to send them, and they were both blocked, but I removed them.

  6. Removing them may be counter-productive, as I noted in the article, because if something ever resets the option to allow notification permission requests, those sites can ask again.

  7. Yes. When you refuse to allow notifications from a site, that entry in the settings is the record of your refusal. If you remove it, then Firefox won’t know that you refused it, meaning and the site can (and probably will) ask again.

    Unless you check the box blocking all new requests, of course, in which case all sites are blocked.

    If you use (or think you might want to use) notifications, then you can’t auto-block all requests, and you want to maintain your list of blocked sites so you don’t get repeated requests.

  8. I did block all new requests, so it seemed like leaving the two that were already blocked was redundant.

Join the discussion in the TidBITS Discourse forum


Avatar for ace Avatar for tommy Avatar for romad Avatar for Will_M Avatar for Shamino Avatar for kat634e